After following instructions included in this gude upload the following info to Onehub:
AWS CloudTrail is a service that enables auditing of your AWS account. With CloudTrail, you can log, monitor, and retain account activity related to actions across your AWS infrastructure. This service provides the event history of your AWS account activity, such as actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
The following sections cover how to configure the Amazon CloudTrail service to integrate with your SIEM.
The first step is to create a new S3 bucket. If you want to use an already existing one, skip this step.
Amazon Simple Storage Service (Amazon S3) is an object storage service that delivers industry-leading scalability, data availability, security, and performance.
The module for AWS requires every supported AWS service except Inspector Classic, CloudWatch Logs, and Security Lake to store their logs in an S3 bucket. However, you can use a single S3 bucket for all these services, eliminating the need to create individual buckets for them.
In this section we describe how to create an Amazon S3 bucket:
On your AWS console, go to Services > Storage > S3.
Click Create bucket to create a new S3 bucket.
Enter the name of your S3 bucket, then click Create bucket.
Note: Copy the bucket ARN because it will be needed later for some AWS services.
On your AWS console, search for “cloudtrail” in the search bar at the top of the page or go to Management & Governance > CloudTrail.
·
Click Create trail to create a new trail.
Assign a Trail Name and choose the S3 bucket that will store the CloudTrail logs (remember the name you provide here, you'll need to reference it the Wazuh module for AWS configuration). If Log file SSE-KMS encryption is enabled, assign a name for a new AWS KMS alias or choose an existing one:
Note: The standard file system AWS CloudTrail will create has this structure:
<WAZUH_AWS_BUCKET>/<PREFIX>/AWSLogs/<ACCOUNT_ID>/CloudTrail/<REGION>/<YEAR>/<MONTH>/<DAY>
The structure may change depending on the different configurations of the services, or changing of the <WAZUH_AWS_BUCKET> and <PREFIX> values by the user.
Choose log events to be recorded and click Next.
Review the configuration and click Create trail.
In AWS Identity and Access Management (IAM), an identity represents a human user or programmatic workload that can be authenticated and authorized to perform actions in AWS. The Wazuh module for AWS requires authentication and authorization through an IAM identity to integrate with supported AWS services.
In the following sections, we describe how to create an IAM user group, how to create an AWS IAM user with access credentials, and how to add the user to the group.
Create a user group that an AWS IAM user will be added to.
On the AWS console, search for iam and click IAM from the results.
Go to User groups and click Create group to create a new group.
Assign a name for the group, scroll down, and click Create group.
Confirm the group has been successfully created.
Wazuh requires an AWS IAM user with the necessary permissions to collect log data from the different AWS services. We show below how to create a new IAM user in your AWS environment and obtain the access credentials.
Create a new IAM user and add it to a user group:
On your AWS console, navigate to Services > IAM > Users > Create user.
Assign a username and click Next.
Assign the user to the previously created group and click Next to proceed.
Review the selected options and click Create user.
Confirm the user creation
Obtain the necessary access credentials for the IAM user.
Click on the created IAM user, go to Security credentials, scroll down to Access keys, and click Create access key.
Select and confirm the Command Line Interface (CLI) use case and click Next.
Assign a description tag value and click Create access key.
Save the access credentials, you will use them later to configure the Wazuh module for AWS. If you don't copy the credentials before you click Done, you cannot recover it later. However, you can create a new secret access key.
In AWS, a policy is an entity that links permissions with an identity or resource. The permissions in a policy determine whether a request is allowed or denied.
In this section, we describe how to create an AWS policy and how to attach the policy to a group.
Depending on the AWS service that will be monitored, the AWS IAM user will need different sets of permissions. The permissions required for each AWS service are explained on each page of the supported services section.
In this article, we'll detail required permissions for the Cloud Trail service.
Follow the steps below on your AWS console to create an AWS policy that collects logs from an S3 bucket.
Click Policies > Create policy.
Switch to JSON view, remove the default statement, and paste the following configuration. Replace <WAZUH_AWS_BUCKET> with the name of the previously created S3 bucket. In this example, the policy allows the IAM user to return and retrieve an object from the specified S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
"Sid": "GetS3Logs",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
"arn:aws:s3:::<WAZUH_AWS_BUCKET>"
]
}
Click Next to proceed to the next step.
Confirm the policy creation.
After you create a policy, you can attach it to groups, users, or roles. In this guide, we show how to create a group and how to attach a policy to a group using the AWS console.
Navigate to User groups and click on a previously created group.
Navigate to Permissions , click on Add permissions, then Attach policies.
Search for the policy, select the checkbox next to it, and click Attach policies to attach it to the group.
Confirm the policy is attached to the group.
Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.
After following instructions included in this gude upload the following info to Onehub (txt file):
Was this article helpfu?
Thank you for voting
You are related to multiple companies. Please select the company you wish to login as.